Slack Adds Two-Factor Authentication Support After Recent Security Breach

slack-logoSlack, which is used by thousands of people world-wide to communicate, recently suffered a security breach. According to Slack, the breach occurred during a four-day period in February.

Hackers gained access to a central database used to store user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, the database contains information that users may have optionally added to their profiles such as phone number and Skype ID.

Slack uses bcrypt with a randomly generated salt per-password that according to Slack, “makes it computationally infeasible that your password could be recreated from the hashed form.” No financial data was compromised and so far, the company hasn’t found any evidence that the hackers were able to decrypt the stored passwords.

Two New Security Options

Slack has launched two new features for individuals and team owners to help increase security. The first is Two-Factor authentication. Slack has a detailed guide that explains how to configure 2FA for your account. When you enable 2FA, you’ll be prompted to enter a verification code in addition to your normal password whenever you sign in.

The second is a “Password Kill Switch” for team owners. The kill switch allows for instantaneous team-wide resetting of passwords and forced termination of all user sessions for all team members. This means that everyone is signed out of your Slack team, in all apps and on all devices.

Enable 2FA Where Possible

Users are highly encouraged to enable 2FA on Slack and on any other service that supports it. To learn more about Slack’s security principles, including how to report security vulnerabilities, check out their security page.

8 Comments


    1. This is a footnote located at the bottom of their release post that explains why it wasn’t added earlier.

      Q: Why are you releasing Two Factor Authentication now? Why not earlier?

      Two Factor Authentication has been in development for the last few months. It is a complicated change which requires additional support resources, administrative capabilities, changes to all applications, mobile and desktop, and extensive testing. We were about a week from release, with just a few small UI tweaks to simplify and clarify the usage experience.

      We have decided to release it immediately, despite the remaining bits of clunky-ness: the feature works and it does provide a significant new level of protection against unauthorized access to your Slack account. We will be improving this feature in future releases but the feature functionality is what is most important right now.

      Report


  1. A shame that WordPress will not implement 2FA in the core. I was (quite abruptly) told where I could go put my request when I had the temerity to suggest that WP was somewhat lagging behind the ‘obviously inferior’ (well it is actually) Joomla. Especially when there is such a good plugin that implements Google 2FA that could so easily become a feature plugin. It might stick a boot up the **** of the third party user/login plugin writers to support it then.

    Report


    1. The problem with 2FA going into core, is that WordPress is supposed to be a standalone software application. When you start implementing 3rd parties, you’re creating more vulnerabilities than you’re fixing. Also, like you said, there is already a plugin for it. If 2FA is an important feature for you, use the plugin. WordPress doesn’t (and most likely never will) integrate with 3rd party APIs out of the box in core. It just won’t happen.

      Report


  2. Two-Factor Authentication is almost everywhere already. Personally I can not imagine login somewhere with this. Each additional click somewhere makes me not comfortable.

    Report


  3. “According to Slack, the breach occurred during a four-day period in February.”

    So, more than a month since their database was breached and they did not say anything until today? Or did it take them a month to figure out whether or not the hack was real? Either way, that is pretty bad. Don’t get me wrong, their new incentives are good, and their own blog post is very transparent, but… a month? And were the data from all users available to the hackers, or only the “affected” users?

    It could be interesting to hear more about how the hack took place and what changes have been made to the infrastructure, both from the perspective of a user and a fellow developer. Security by obscurity has never been a good idea.

    Also, and this is more in general when reading about hacked systems; I do not care about the passwords being “computationally infeasible” to be generated. That is irrelevant. A system was hacked, data was (most likely) stolen. Period. One shouldn’t really reuse passwords across services anyway.

    Report


  4. This is brilliant news – the more websites and companies that start implementing this extra security, the better, welcome news for many of us I’m sure.

    Report

Comments are closed.